Proofpoint researchers have been tracking a botnet operating on thousands of compromised web servers this year. The botnet, dubbed Brain Food for the bogus diet and intelligence boosting pills it helps sell, is used to disguise call to action URLs in email spam.
Brain Food is a PHP script that we have found on over 5,000 compromised websites over the past four months. Over 2,400 of those have shown activity in the past 7 days. Nearly 40% of the compromised sites are hosted on five platforms (Figure 1). We have reached out to Go-Daddy on this and discussed ways of addressing the problem with them.
Figure 1: Top hosts of websites compromised with Brain Food
An individual website may contain multiple copies of the PHP script. We have observed this script installed on websites using different content management systems including WordPress and Joomla.
Brain Food is usually the second step in a chain of redirections, with the first being a URL shortener link in spam. In the past week, we have detected over 7,300 distinct URL shortener links used by this spammer, of which 55% were goo.gl links and 45% used bit.ly. As shown in Figure 2, this pattern has been consistent over time, except for a period of roughly two weeks in late April 2018. On April 13, Google stopped anonymous users from creating new goo.gl links, at which point the spammer switched most of their activity to bit.ly to maintain total spam volume. However, by the end of April, the spammer appears to have found a means of circumventing the Google restrictions and reverted to their previous split between the two URL shortener services (Figure 2).
Figure 2: URL shorteners used by the Brain Food spammer
The emails distributing these links are very simple with no subject and a basic personalized greeting (Figure 3):
Figure 3: Sample email distributing links to Brain Food redirects
The final landing pages currently advertise diet pills, although this same script was previously used to redirect to landing pages for a diet supplement claiming to increase intelligence. The landing pages typically feature stolen branding and claim the product has been featured on popular TV shows such as Shark Tank. Figure 4 shows one such landing page mimicking Entertainment Today: